Apple plugs 16 holes in Safari as Pwn2Own looms
Browser expected to fall first in hacking contest gets fixes for critical flaws
Computerworld - Two weeks before a browser hacking contest is to kick off in Vancouver, British Columbia, Apple Inc. yesterday patched 16 vulnerabilities in Safari, 12 of them critical bugs that could be used to hijack a machine.
Apple updated Safari for both Mac OS X and Windows to Version 4.0.5, hardening the browser before it's tossed into the ring with Microsoft's Internet Explorer, Mozilla's Firefox and Google's Chrome at this year's Pwn2Own hacking challenge. The contest organizer has predicted that Safari would be the first to fall when researchers battle for $40,000 in prize money beginning March 24 at the CanSecWest security conference.
The last time that Apple refreshed Safari was in November 2009, when seven bugs were quashed with Version 4.0.4.
According to Apple's advisory, three-fourths of the vulnerabilities -- 12 of the 16 -- got Apple's "arbitrary code execution" label, meaning the flaws are critical and could be exploited to compromise a Mac or a Windows machine. Unlike other vendors, such as Microsoft and Oracle, Apple does not assign a threat ranking to the bugs it discloses.
Nine of the 16 flaws patched Thursday were in the open-source WebKit browser engine that forms the foundation of Safari; six affected only the Windows version, which runs on XP, Vista and Windows 7. Of the half-dozen Windows-only vulnerabilities, four were in the Image IO component and could be triggered by specially-crafted TIFF or BMG image files when rendered by Safari.
Two of the 16 were reported to Apple by browser rivals. Billy Rios, a browser bug researcher who formerly worked at VeriSign Inc. but now is on the Microsoft Vulnerability Research (MSVR) team, was credited with identifying one of the Windows-only flaws; Robert Swiecki of Google found one of the WebKit vulnerabilities.
The WebKit fixes may be timely. Last month, Aaron Portnoy, security research team lead with 3Com Corp.'s TippingPoint unit, the sponsor of Pwn2Own, bet that Safari would crumble at the contest in part because it's built "on the notoriously buggy WebKit."
In both 2008 and 2009, researcher Charlie Miller hacked into a Mac within minutes at Pwn2Own by exploiting an unpatched Safari vulnerability.
Safari 4.0.5 also included stability improvements for unspecified third-party browser plug-ins, performance improvements for the Top Sites feature that shows users domains they visit most often, and fixes for non-security-related bugs that affect the way the browser handles router settings and works with the iWork suite's Web-based document sharing site.
Safari 4.0.5 can be downloaded from Apple's site for Mac OS X 10.4 (Tiger), Mac OS X 10.5 (Leopard), Mac OS X 10.6 (Snow Leopard), Windows XP, Windows Vista and Windows 7. Mac OS X users will be notified of the new version automatically by the operating system's software update feature, while Windows users already running Safari will be informed by the Apple Software Update tool.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts